Malicious Linux Shell Scripts Used to Evade Defenses

Attackers’ evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. 

New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 

1.Uninstalling monitoring agents 

Monitoring agents are software elements that track the system’s process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. 

The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 

2.Disabling Firewalls and Interrupts 

As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. 

The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 

3.Disabling Linux Security Modules (LSMs) 

Security components such as SElinux and Apparmor are also disabled by the malicious shell script. These modules are used to establish MAC policies (mandatory access control). These modules might be easily configured by a server administrator to give users restricted access to the system’s installed or running programs. 

-AppArmour: AppArmour is a Linux security feature that allows users to lock down apps such as Firefox for added protection. In Ubuntu’s default setup, a user can restrict a program by granting it limited permissions. 

– SElinux: SElinux is a Linux security feature that allows a security administrator to deploy security context to certain apps and services. The shell is blocked or limited on various web servers, therefore RCE (Remote Code Execution) attackers generally bypass/disable it. 

4.Modifying ACLs 

The guidelines for granting rights on files and utilities are contained in ACLs, or Access Control Lists. ACLs on filesystems notify operating systems which users are authorized to access the system and what rights they possess. In Linux, the setfacl program is used to change and remove ACLs. 

5.Changing Attributes 

In Linux, the chattr is used to set and unset various characteristics of a file. Attackers use this to protect their own dropped files or to make their files permanent so that they can’t be deleted by a user.

6.Renaming common utilities 

Common utilities like wget and curl were utilized with various names in one of the malicious scripts. These programs are often used to acquire files from a distant IP address. These tools are used by attackers to download malicious files from C2. 

If wget and curl are used under different names, some security systems that track the precise names of the utilities may not trigger the download event. 

-EDR Detections by Uptycs 

These malicious scripts were discovered with a threat level of 10/10 by Uptycs EDR using YARA process scanning. 

As attackers employ more complex and new techniques of evasion, it’s more vital than ever to keep track of and document what’s going on in the system. As per the Threat Post, the following suggestions are recommended: 

-Monitor suspicious processes, events, and network traffic that result from the execution of any untrusted binary on a regular basis.

-Keep your systems and firmware up to date with the most recent fixes and releases.